|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2002-06-30 07:35 UTC] lampa at brutusmud dot net
when using unset($_SESSION[...]) insted session_unregister(...) and
before calling read _$SESSION[...] variable WILL NOT unset.
please try these examples and see result.
here is method how to produce this bug (you must have cookies enabled):
1. run script
2. reload page (you should see 2 $_SESSION arrays with the same value)
3. click on unset link
4. now you should see first array filled with test value and second
should be empty - that's OK - but variable test should be deleted from
session
5. reload page
6. here is BUG: i unset session variable test so i shouldn't exists,
but exists.
---
7. comment line marked #fatal
and go to repeat process from begining
on step 6. both arrays will be empty!!!!
<?php
session_start();
echo '<pre>';
print_r($_SESSION);
if (isset($_GET['submit'])) {
$test = $_SESSION['test']; # fatal
unset($_SESSION['test']);
} else {
$_SESSION['test'] = 'this is test';
}
echo '<a href="'.$_SERVER['PHP_SELF'].'?submit=yes">unset</a><br>';
print_r($_SESSION);
echo '</pre>';
?>
replace unset($_SESSION['test']); with
session_unregister('test'); and repeat process - here will be
everything OK.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Dec 05 14:00:02 2025 UTC |
On WinNT 4.0 running Apache 2.0.39/PHP 4.2.2 I have seen the same thing. unset($_SESSION['xyz']) does NOT remove the variable xyz from the session file. It only kills the instance on the page being processed. This is an extremely critical problem if other scripts pass what should be "one-shot" values. The receiving page immediately does an unset thinking that the variable no longer exists ANYWHERE, but if the user does a refresh... poof... the value reappears. Example snippet: Script #1 $_SESSION['manage'] = 'Create'; echo "<input type=button name='continue' value='Create another?' onClick=\"window.location='pcomanage.php'\">\n"; Script 1 is passing 'manage=Create' to pcomanage.php versus POSTing it, as we may not want the user to be clued to anything by viewing source in the browser. Script 2 if (isset($_SESSION['manage'])) { $manage = $_SESSION['manage']; unset($_SESSION['manage']); } Okay, based on my workflow if the session variable 'manage' is set then I know I'm coming from a script (vs. a POST), so I make a local copy and try to kill the session variable created in Script 1. No joy! I have checked the pertinent session file following the processing of the script and 'manage' still appears with it's value (Create).I have the same problem, running 4.1.1 on FreeBSD, put this script somewhere at your site and run it: session_start(); echo '<h2>Session just after session_start()</h2>'; echo '<pre>'; print_r($_SESSION); echo '</pre>'; if(isset($_GET['set'])) { $_SESSION['foo'] = 'bar'; echo '<h2>Session after $_SESSION[\'foo\'] = \'bar\'</h2>'; echo '<pre>'; print_r($_SESSION); echo '</pre>'; } if(isset($_GET['unset'])) { unset($_SESSION['foo']); echo '<h2>Session after unset($_SESSION[\'foo\'])</h2>'; echo '<pre>'; print_r($_SESSION); echo '</pre>'; } if($_GET['step'] == 0) { echo '<a href="unset.php?step=1&set=1">Next</a>'; } if($_GET['step'] == 1) { echo '<a href="unset.php?step=2">Next</a>'; } if($_GET['step'] == 2) { echo '<a href="unset.php?step=3&unset=1">Next</a>'; } if($_GET['step'] == 3) { echo '<a href="unset.php?step=4">Next</a>'; } if($_GET['step'] == 4) { echo '<p>$_SESSION should be an empty array at this point!</p>'; }